Hi there! I'm having this issue I would like to share with you, I hope to
find a solution.
*This is the scenario*:
- Two different apps, let's call them *development* and *development_panel*
* - *Both apps uses the *same model* (shared through symlinks)
- *development* app is served at *development.com*
* - **development**_panel* app is served at *panel.**development**.com*
- Login is done in *development**_panel* app and cookie is shared for
*development* app (so, the visitor logs in at *panel.**development**.com* and
that cookie is shared also with *development**.com*)
*How does it work?*
First, I have the domains mapped to apps within my routes.py
routers = dict(
BASE=dict(
default_controller='default',
default_function='index',
domains={
'development.com': 'development',
'panel.development.com': development_panel,
},
map_static=True,
exclusive_domain=True,
)
)
Notice exclusive_domain=True, meaning that each app can be accessed only
through the specificed domain, and not from another one. This works like a
charm.
Second, the db.py file is defined in one app, and symlinked from the other
one. The "databases" folder was moved out from inside the app folder, so it
is specified when instantiating DAL:
db = DAL(
'postgres://%s:%s@%s/%s' % (CONFIG.db_user, CONFIG.db_user_password,
CONFIG.db_host, CONFIG.db_name),
migrate=False,
lazy_tables=True,
folder=CONFIG.databases_folder)
Third, both apps connect to the session specifying *development* as the
*masterapp*:
session.connect(request, response, db=db, masterapp='development')
Fourth and last, this code is right after session.connect, and it's the one
that makes the magic.
This two lines of code are the ones needed in order to share the login
session between the two apps:
if response.session_id_name in response.cookies:
response.cookies[response.session_id_name]['domain'] = 'development.com'
Now, remember the login is done in *development_panel* and *development* is
defined as the masterapp. Well, all this is working ok, I have several
websites running this way (every website has its own domain and its couple
of apps installed, served the same way as the example I exposed). However,
*very
few customers are reporting they can't login*. Actually, they login
successfully to the panel, but then they go to the main domain and they
aren't logged in anymore. That is, the cookie is being written but not read
(not shared across domains). This happens only on a specific subset of
devices and browsers (so far, it's been reported to happen a lot in Safari
for iPhone).
As I said, the current approach is working for the vast majority of
customers. However, as some of them reported the problem, I wanted to check
the cookies. And that's when I saw all this mess, or at least I think it's
a mess.
Having erased all cookies from the browser, without being logged in, I go
to the login page at *panel.development.com* and this is what I see in the
cookies:
<https://lh3.googleusercontent.com/-K5eNM35F4yQ/Wnt84F-_qqI/AAAAAAAAHww/kgSCxcVXVGsjsnORuE0iMBs6GmZOsbGUACLcBGAs/s1600/capture1.png>
I can already see a strange cookie "*session_id_development_panel*" that I
don't know where it comes from.
I checked the gluon/globals.py code to see where is that name generated:
https://github.com/web2py/web2py/blob/master/gluon/globals.py#L846
Notice it uses the *masterapp* to generate that name, and if you check my
previous code, you will see that I connect to the session using
masterapp='development'.
So where does *session_id_development_panel* comes from?
What is more weird is this: after a successfull login, the app takes me to
the main domain, and there I see these cookies:
<https://lh3.googleusercontent.com/-hsduZYg_Q0E/Wnt9-L0R5FI/AAAAAAAAHw4/JM1ctM_cpkM8ZPScC-ej-4gdL_KisBaRgCLcBGAs/s1600/capture2.png>
*Notice the duplicated cookie name with different values*. Where does it
come from?
Now that I see all this, I'm starting to think that the problem reported by
some customers is produced by this cookie mess.
Somehow Chrome, Firefox and Edge don't complain about this and it works ok.
However some browsers don't like this, and refuse to share the cookie.
Any thoughts? Anything I should check or modify?
I've read documentation about cookies:
http://web2py.com/books/default/chapter/29/4#Cookies
There, you can see what is needed in order to share the cookie across
multiple domains, but the documentation mentions a single app.
What about my case? I know there is something that I have to change, but I
can't figure out what.
Any help will be appreciated.
Thanks in advance!
Regards,
Lisandro.
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
